Breeze Cache WordPress plugin under active attack via unauth file upload flaw

CVE-2026-3844, a critical 9.8-severity flaw in the Cloudways Breeze Cache plugin, is being actively exploited, with Wordfence logging over 170 attack attempts. The bug sits in the fetch_gravatar_from_remote function, which skips file-type validation and lets unauthenticated attackers upload arbitrary files — a straightforward path to remote code execution and full site takeover.

Exploitation is gated behind one condition: the ‘Host Files Locally - Gravatars’ add-on must be enabled. That is not the default, which narrows the blast radius across the plugin’s 400,000+ installs, but there is no telemetry on how many sites have the add-on toggled on. All versions up to 2.4.4 are affected; 2.4.5 ships the fix and has seen roughly 138,000 downloads so far.

Admins should update immediately. Where patching is blocked, disabling the gravatar add-on neutralizes the attack path, and pulling the plugin entirely is a reasonable short-term fallback given active exploitation.